Why you need to guard your Backup Exec servers

If you have a Windows domain, there’s a fairly good chance you have Backup Exec servers, because you probably want to take backups. Because you need them. (As a security guy, I no longer care how you get backups; just that you’re getting them somehow.) Backup Exec is a popular solution for that. But there’s a problem.

A security problem, that is. The quality of Backup Exec as a product hasn’t been my problem since 2005. The problem I have with it now is that Backup Exec stores its passwords in a database. The passwords are encrypted, but it’s possible to decrypt the backup copy, if you’re determined enough.

And here’s the thing. As tempting as it would be to kick Symantec around, this is an extraordinarily difficult problem to solve. Backup Exec has to be able to retrieve passwords, so the encryption it uses is going to be possible for a bad guy to reverse.

So, anyone who has the ability to read files on the Backup Exec server has the ability to become a domain admin, assuming Backup Exec is using a domain admin account, which is a very safe assumption.

Do you trust your tape operators with domain admin privileges? No? Time to find some new tape operators, then. Seriously.

I’m not saying to go and give your tape operators domain admin rights, but if the idea of them having them makes you lose sleep, then you need to do something about it. And don’t give away login rights to the Backup Exec servers willy nilly. That’s asking for bad things to happen.

And this also goes without saying: Patching your Backup Exec servers should be at the very top of your priority list every month, since remote code execution on a Backup Exec server can lead directly to the keys to your network.

Another mitigation worth considering is to not use domain admin privileges all the time. Use accounts with non-administrative privileges if at all possible, and if it’s not possible, use a local account with administrative privileges instead. You may not be able to get around using a domain admin account to back up your domain controllers, but wouldn’t you rather have one backup server holding the keys to your kingdom than 15?